Twitter detects and shuts down password data hack in progress

Twitter engineers shut down what they described as an "extremely sophisticated" hack attack on its network that exposed the cryptographically protected password data and login tokens for 250,000 users.

In a blog post published late Friday afternoon, company officials said affected passwords and tokens have been reset and e-mails are in the process of being sent out to affected users. Twitter said it discovered the breach “earlier this week” and shut it down moments later.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Bob Lord, Twitter's director of information security, wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Lord also mentioned recent attacks on Oracle's Java software framework for browsers, although he didn't explain what it had to do with the attack on Twitter. He urged users to disable Java on their computers.

Twitter compared the breach in timing to the recent widespread hacks of the New York Times and the Wall Street Journal, in which Chinese hackers gained access to the papers' databases to track down information on journalists and their sources who were helping write stories critical of the family of China's prime minister.

“[W]e detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” Twitter's post read. “We discovered one live attack and were able to shut it down in process moments later.” Towards the end of the post, Twitter said it was still gathering information on what happened:

Twitter also expressed a sentiment we've repeated many times here on Ars: keep passwords strong and don't reuse them on other accounts or sites.

Twitter said the hackers that attacked its network may have accessed "encrypted/salted versions of passwords." In the past, the company has said publicly that it uses the bcrypt cryptographic algorithm to hash passwords. That's good news because the algorithm operates slowly and requires large amounts of computing resources, making ii among the hardest for password crackers to defeat. Twitter continues to use bcrypt now, a person familiar with its security regimen told Ars. For more information about the benefits of slow hashes, see the Ars feature Why passwords have never been weaker—and crackers have never been stronger.

Because Twitter has reset user passwords and session tokens, there's reason for optimism that most Twitter accounts will remain safe. But users who used the same password for other online accounts remain at risk. While bcrypt is among the best hashing algorithms available, its use merely slows down the cracking process. Because the breach also exposed Twitter users' e-mail addresses, cracked passwords could be used to compromise accounts on Facebook, LinkedIn, or any number of other sites, if those accounts use the same passcode.

Promoted Comments

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date. The only evidence I have to support this is that my original Twitter account (c.2007) was affected, but another account I run (c.2009) was not. This has also appeared consistent from the reports of other users I have observed...but again, no real data to actually correlate.

They reset the password for my many-years-old account but not my other more recent one, so I'm thinking Panther's probably correct. Hard to say if Twitter won't let anyone know how the attack worked (which would probably be a security problem for them), but it seems probable.

At any rate, I use absurdly long randomly-generated passwords, so I'm probably fine regardless of what happens. 1Password really makes it easy to go nuts with long, random passwords.

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date. The only evidence I have to support this is that my original Twitter account (c.2007) was affected, but another account I run (c.2009) was not. This has also appeared consistent from the reports of other users I have observed...but again, no real data to actually correlate.

43 Reader Comments

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date. The only evidence I have to support this is that my original Twitter account (c.2007) was affected, but another account I run (c.2009) was not. This has also appeared consistent from the reports of other users I have observed...but again, no real data to actually correlate.

Kudos to ARS on the reporting here. It's delightful to see an articule that actually clarifies that only hashed passwords were gleaned, and succinctly that they were securely hashed (with even more detail).

Presumably those were stored in an unencrypted format. I'd bet that the hackers will crack the encryption on a small percentage of the hashes, those with the obvious dictionary passwords, and use them to overtake the e-mail addresses. That or they were after a higher value target and got caught too early.

They reset the password for my many-years-old account but not my other more recent one, so I'm thinking Panther's probably correct. Hard to say if Twitter won't let anyone know how the attack worked (which would probably be a security problem for them), but it seems probable.

At any rate, I use absurdly long randomly-generated passwords, so I'm probably fine regardless of what happens. 1Password really makes it easy to go nuts with long, random passwords.

One reason the Java vulnerability may be involved may be because Twitter moved its backend from Ruby on Rails to Scala. Scala runs on the JVM, so any vulnerability in it could apply to Scala too (although the exact contours of the attack would likely be slightly different).

Still unclear how attackers would've used this -- this is backend stuff that an attacker would probably have to get to the servers to exploit anyway. If the attackers are already on the servers then it seems like it would be game over already.

One reason the Java vulnerability may be involved may be because Twitter moved its backend from Ruby on Rails to Scala. Scala runs on the JVM, so any vulnerability in it could apply to Scala too (although the exact contours of the attack would likely be slightly different).

The Java vulnerability only applies to the browser plugin. Server side Java already has system access - there's nothing to exploit.

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date. The only evidence I have to support this is that my original Twitter account (c.2007) was affected, but another account I run (c.2009) was not. This has also appeared consistent from the reports of other users I have observed...but again, no real data to actually correlate.

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date. The only evidence I have to support this is that my original Twitter account (c.2007) was affected, but another account I run (c.2009) was not. This has also appeared consistent from the reports of other users I have observed...but again, no real data to actually correlate.

Makes sense. If it's a relational database they're stored in, account number is likely the primary key of the table with usernames and passwords. Further, said table is almost certainly sorted and indexed on the account number (because numbers are stupidly easy to do this on), and dumb file reading occurs from the start of a file - whether they queried for it or read the data from disk, it would return in that order.

Of course, this is pure speculation... but I wouldn't expect any other order for an attempt to dump all that data, especially since this sounds like an attempt to grab as much as possible, as opposed to certain individuals. Hopefully the passwords were salted and hashed properly, which would make breaking them too much effort for a random account.

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date.

...Or perhaps, they (initially at least) used an AutoNumber for account IDs, and the crackers simply ran some kind of SQL dump/transfer command after crafting an SQL injection compromise via Java that (by default) dumped all the data from all the tables (or, all data from certain tables) in order of primary key.

Quote:

Lord also mentioned recent attacks on Oracle's Java software framework for browsers, although he didn't explain what it had to do with the attack on Twitter. He urged users to disable Java on their computers.

When is this Java debacle going to end? I've been holding off from installing Java + NetBeans + LibreOffice on my machine because of this, and looking into alternatives such as MS Visual Studio with VS.PHP (I'm skeptical even of this, because it would bundle Apache onto my machine).

Solomonoff's Secret wrote:

The Java vulnerability only applies to the browser plugin. Server side Java already has system access - there's nothing to exploit.

Do you mean that I can safely install Java with Netbeans + LibreOffice, with little or no security implications, if only I disable all the Java applet browser plugins? Even if so, I'm seriously looking at alternatives to all of these, because the general security policies & practices of Oracle with respect to Java (and also their current intellectual property policies toward Java) aren't making me feel confident that Java has a future.

Quote:

Twitter also expressed a sentiment we've repeated many times here on Ars: keep passwords strong and don't reuse them on other accounts or sites.

Despite not being notified that I am affected by this, I've just updated my password to a very long ASCII string with letters, numbers and symbols. I hope they try to crack my password, and have fun doing it. If they succeed, they'll discover that I'm no dissident and they wasted their time.

At this point, as far as I can tell, all of the 50+ victims I've found opened their accounts in the year 2007. There were one or two from late 2006 and one from 2012 that I am betting is spurious. The only other commonality was that most of them own iPhones but this is probably a coincidence. I got a confirmation from two of them that they definitely do not own any iDevices.

I had my twitter account (which I rarely use) hacked yesterday. Oddly they didnt change my email address and I was able to easily reset the password and delete the spam tweets.

I had a simple password on it so i dont know if it was comprimised because of the hack in the article or comprimised via some other attack. I have 1password now so the password is now a 20 letter random mess of letters and punctuation.

I too received the heads-up email early yesterday, on my 2007 account. Considering the amount of random hashes and numbers strewn about in my original 14+ character password, I would be nothing short of impressed with the hackers if they could demonstrate the tenacity to crack that one. After the forced reset, I bumped it to 20. Gotta make them hackers earn their victories, you know?

I wished there would be more web admins/programmers that would understand what strong passwords are. The very common scheme of requiring at least one number/upper case character or "special character" does not make passwords stronger but weaker. https://plus.google.com/105311652077184 ... TtkaKSUTquDon't get me wrong, using those characters is a good idea, requiring those characters makes the number of combinations to check smaller, hence all passwords for that website weaker. Sure you can add extra characters to compensate, but most of these sites still allow 6-8 char passwords.

Interestingly, a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date. The only evidence I have to support this is that my original Twitter account (c.2007) was affected, but another account I run (c.2009) was not. This has also appeared consistent from the reports of other users I have observed...but again, no real data to actually correlate.

I don't know if that's a real image of the reset email, but I would hope that they don't use a URL shortener for the password reset link. I think URL shorteners are a terrible idea in general, but that would really take the cake.

When is this Java debacle going to end? I've been holding off from installing Java + NetBeans + LibreOffice on my machine because of this, and looking into alternatives such as MS Visual Studio with VS.PHP (I'm skeptical even of this, because it would bundle Apache onto my machine)..

If you think having a JDK and Netbeans installed makes you vulnerable, then you probably shouldn't be writing software in any language.

I don't know if that's a real image of the reset email, but I would hope that they don't use a URL shortener for the password reset link. I think URL shorteners are a terrible idea in general, but that would really take the cake.

No, I made it up on the spot as soon as I heard about the compromise, before I got a sample of the real email.

Funnily enough I guessed what the header image looks like almost exactly, just take off the text.

More importantly, demand any company that gets hacked be held accountable. Then maybe we'll see some real security implemented at Facebook, Sony, Twitter, et al.

And Google, and RSA, and Yahoo, and Barnes and Noble, and the New York Times, and the Washington Post, and the Wall Street Journal, and Lockheed Martin as well as most other large defense contractors, and Verisign, and University of Phoenix, and Wal-Mart, and Blizzard, and the governments of many countries, and AOL... basically 'et al.' means "absolutely everyone" at this point.

They detected this attack *in progress* when it had only gotten through 250,000 accounts of a few hundred million. What more do you WANT?

I want 2-factor authentication, like practically every other major site on the Web has at this point. Twitter is very blatantly the last outstanding bastion of copping out with "we can't figure out how to scale 2-factor to our enormous userbase", even though much larger entities (Facebook, Google) have done so just fine. That is not too much to ask for in the slightest.

They detected this attack *in progress* when it had only gotten through 250,000 accounts of a few hundred million. What more do you WANT?

I want 2-factor authentication, like practically every other major site on the Web has at this point. Twitter is very blatantly the last outstanding bastion of copping out with "we can't figure out how to scale 2-factor to our enormous userbase", even though much larger entities (Facebook, Google) have done so just fine. That is not too much to ask for in the slightest.

I guess that's a fair point, but they run on much thinner profits than Google, to pick the obvious heavyweight, and they already have scaling problems with the functionality they already support. You've probably seen the recent spat of Fail Whales. ie the argument that they can't scale that is valid, but that's because they fall over under ordinary load anyway.

So when will hacking become an act of war? Seriously, are we going to let China continue to hack our networks unanswered?

Ask the NSA, CIA and DoD. You might also inquire at what point, when governments harvest virtually all internet data that passes through servers in their country is harvested, analyzed and archived for future reference said country is deemed to be at civil war, since it's an increasingly popular government function in many flavors.

Update: We just spoke with a Twitter representative that stressed that the company doesn't have definitive evidence that the accounts were in fact compromised at this time, and that the steps being taken today are a preventative measure. Twitter's investigation is ongoing.

Given that the stolen hashes were ALSO salted, it's unlikely that the hash will even give them access to other accounts with the same email address except in the most insecure of cases. (In which case, it's really not Twitter's fault.)